Manual Chapter : About BIG-IP AFM NAT
Applies To:Show Versions
- 15.0.1, 15.0.0
About BIG-IP AFM NAT
AFM NAT features
BIG-IP Advanced Firewall Manager (AFM) supports industry standard Network Address Translation (NAT) and Port Address Translation (PAT) functionality. AFM NAT provides a variety of static and dynamic NAT and PAT modes to help you translate and map IPv4 and IPv6 addresses between networks.
AFM NAT also provides a variety of additional features to help you control and monitor NAT mapping events.
The terms translation and mapping may at times be used interchangeably or together. Specifically,
translationrefers to modifying the source or destination IP address or service port of network packets, as they cross network boundaries.
Mappingrefers to the recording or tracking of a successful translation. For example, without a translation mapping, AFM NAT will not know to which private address a public facing packet should be sent.
Translation Address Persistence
Translation Address Persistence provides endpoint-independent address mapping, assigning the same external translation IP addresses to all connections originated by the same internal clients.
Proxy ARP and ICMP Echo requests
These requests respond to Proxy ARP requests or ICMP Echo requests for translated source IP addresses.
Destination IP addresses configured in NAT Policy can be passed to the BIG-IP system's advanced routing module, and advertised to peer routers through dynamic routing protocols such as OSPF and BGP.
Deterministic mode uses reversible mapping to reduce the amount of log messages, while still maintaining the ability to discover translated IP address to assist with troubleshooting and compliance. Deterministic mode also provides an option to configure backup addresses.
Port block allocation
Port block allocation (PBA) mode reduces the amount of logging by creating log entries only when a subscriber first establishes a network connection. PBA mode assigns subscribers a single IP address and block of ports, and releases the block when no more connections are using it.
Event Logs viewer
AFM NAT can store NAT mapping events in the local MySQL database. Using the Configuration Utility, you can perform advanced searches based on NAT mapping time, IP addresses, and service ports.
AFM NAT supports log messages that map external addresses and ports back to internal clients for both troubleshooting, and compliance with law enforcement and legal constraints.
About AFM, LTM, and CGNAT
The BIG-IP system can have up to three licensed NAT modules: AFM NAT, LTM NAT/SNAT, and CGNAT (Carrier Grade NAT). It is important to understand how these modules interact before you configure AFM NAT policies.
- You can use AFM NAT on a system with LTM NAT/SNAT and CGNAT (Carrier-Grade NAT).
- You can use AFM NAT policies with CGNAT policies when they are applied on the same virtual server.
- You cannot apply AFM NAT policies to virtual servers when LTM SNAT pools or a CGNAT LSN-pools are applied to the virtual server. This extends to all contexts. For example, if a virtual server has an LTM SNAT pool or CGNAT LSN-pool applied at the route domain context, an AFM NAT policy cannot be applied to the virtual server context.
About AFM NAT policies and rules
AFM NAT policies are ordered lists of NAT rules that you apply to the global, route domain, or virtual server contexts. AFM NAT rules link packet matching criteria such as network protocol, IP address, and service port, to a NAT mapping type, such as Static-PAT. The NAT feature table provides a brief overview of these features.
Ordered lists of NAT rules that you apply to a BIG-IP system context.
Link packet matching criteria, such as source IP address, to a NAT mapping type, such as Static-PAT.
Specify the NAT mapping types, IP addresses and service ports used when translating packets traversing network boundaries.
The available NAT mapping types:
NAT policy and rule guidelines
It is important to understand these guidelines prior to implementing AFM NAT policies and rules.
- NAT policies
- AFM NAT policies are applied after AFM Network Firewall policies.
- NAT rules
- Overlapping IP addresses cannot be configured in a NAT rule. However, you can configure overlapping addresses between two dynamic PAT items when PAT mode is set to NAPT or PBA mode.
- You can use only IPv6 or IPv4 address types in a single NAT rule (not a combination of both).
AFM NAT policy workflow
Creating a new NAT policy involves these steps:
- Creating the address and port lists used for packet matching.
- Creating the translation objects used for IP address and port mappings.
- Creating the logging profile to log mapping events.
- Creating the AFM NAT policy.
- Applying the NAT policy to a BIG-IP system context.